Passive SSH key compromise via lattices
We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included inform...
| Main Authors: | , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
ACM|Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
2023
|
| Online Access: | https://hdl.handle.net/1721.1/153136 |
| _version_ | 1811088178641108992 |
|---|---|
| author | Ryan, Keegan He, Kaiwen Sullivan, George Heninger, Nadia |
| author2 | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science |
| author_facet | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science Ryan, Keegan He, Kaiwen Sullivan, George Heninger, Nadia |
| author_sort | Ryan, Keegan |
| collection | MIT |
| description | We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. We show that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use our attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations. |
| first_indexed | 2024-09-23T13:57:30Z |
| format | Article |
| id | mit-1721.1/153136 |
| institution | Massachusetts Institute of Technology |
| language | English |
| last_indexed | 2024-09-23T13:57:30Z |
| publishDate | 2023 |
| publisher | ACM|Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security |
| record_format | dspace |
| spelling | mit-1721.1/1531362024-01-23T18:18:29Z Passive SSH key compromise via lattices Ryan, Keegan He, Kaiwen Sullivan, George Heninger, Nadia Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. We show that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use our attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations. 2023-12-12T13:49:36Z 2023-12-12T13:49:36Z 2023-11-15 2023-12-01T08:45:26Z Article http://purl.org/eprint/type/ConferencePaper https://hdl.handle.net/1721.1/153136 Ryan, Keegan, He, Kaiwen, Sullivan, George and Heninger, Nadia. 2023. "Passive SSH key compromise via lattices." PUBLISHER_CC en https://doi.org/10.1145/3576915.3616629 Creative Commons Attribution https://creativecommons.org/licenses/by/4.0/ The author(s) application/pdf ACM|Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security Association for Computing Machinery |
| spellingShingle | Ryan, Keegan He, Kaiwen Sullivan, George Heninger, Nadia Passive SSH key compromise via lattices |
| title | Passive SSH key compromise via lattices |
| title_full | Passive SSH key compromise via lattices |
| title_fullStr | Passive SSH key compromise via lattices |
| title_full_unstemmed | Passive SSH key compromise via lattices |
| title_short | Passive SSH key compromise via lattices |
| title_sort | passive ssh key compromise via lattices |
| url | https://hdl.handle.net/1721.1/153136 |
| work_keys_str_mv | AT ryankeegan passivesshkeycompromisevialattices AT hekaiwen passivesshkeycompromisevialattices AT sullivangeorge passivesshkeycompromisevialattices AT heningernadia passivesshkeycompromisevialattices |